From owner-freebsd-net@freebsd.org  Thu Aug 17 03:51:35 2017
Return-Path: <owner-freebsd-net@freebsd.org>
Delivered-To: freebsd-net@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 50D26DC6DFB
 for <freebsd-net@mailman.ysv.freebsd.org>;
 Thu, 17 Aug 2017 03:51:35 +0000 (UTC)
 (envelope-from dmahoney@isc.org)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx.pao1.isc.org",
 Issuer "COMODO RSA Organization Validation Secure Server CA" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 3D47C83798
 for <freebsd-net@freebsd.org>; Thu, 17 Aug 2017 03:51:35 +0000 (UTC)
 (envelope-from dmahoney@isc.org)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by mx.pao1.isc.org (Postfix) with ESMTPS id D3DED34B7ED
 for <freebsd-net@freebsd.org>; Thu, 17 Aug 2017 03:51:25 +0000 (UTC)
Received: by bikeshed.isc.org (Postfix, from userid 10302)
 id C7BFF216C1E; Thu, 17 Aug 2017 03:51:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by bikeshed.isc.org (Postfix) with ESMTP id C5FEB216C1C
 for <freebsd-net@freebsd.org>; Thu, 17 Aug 2017 03:51:25 +0000 (UTC)
Date: Thu, 17 Aug 2017 03:51:25 +0000 (UTC)
From: Dan Mahoney <dmahoney@isc.org>
To: freebsd-net@freebsd.org
Subject: How likely is it that we can get a kernel tweak for 11.1 so the
 tcpmd5.ko module works?
Message-ID: <alpine.BSF.2.20.1708170346270.71105@bikeshed.isc.org>
User-Agent: Alpine 2.20 (BSF 67 2015-01-07)
X-OpenPGP-Key-ID: 0xE919EC51
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00,
 RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net/>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-net>,
 <mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Aug 2017 03:51:35 -0000

All,

Please see https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220170

Basically, there's a kernel module that's only usable if you've built a 
custom kernel with IPSEC_SUPPORT.  Since to build a custom kernel you've 
going to rebuild this module anyway, I'm not sure why it was shipped in 
-base.

ISC runs a lot of BGP routing daemons and many of the people we peer with 
require password auth as part of their peering policy.  We were really 
hoping for our new platform to not need to invent extra mechanics to 
build/deploy custom kernels.

How hard would it be to add:

1) IPSEC_SUPPORT to base without waiting for 11.2?  (After all, IPSEC 
itself is already in the base kernel).

or

2) Building another module that would add the necessary IPSEC_SUPPORT 
knobs so TCPMD5 loads without needing to modify the shipped kernel?

-Dan Mahoney
ISC